Signing Contents Digitally: An Email Implementation

Post navigation

“I was happy when I design my own signature. Also, deciding to put my signature under this job makes me happier. Characteristic of signatures transforms in time. However, it would be remain same in a day. Letters takes the form of yourself, they makes your name official on a paper”. That’s the cover text of Turkish Singer Sila‘s album named as signature.

One way function is important for signatures

Handwritten signatures proves identity of signer on a marked document. Characteristics of letter formation are unique for every person like finger prints. Also, one’s fine motor skills might affect his handwriting. This leaves clues about signatory’s idendity. So, signatures can be verified by Questioned document examination.

Digital signatures are like handwriten signatures. They demonstrates authenticity of digital content and they can be verified too.

Hash functions are resposible for digesting messages. They are one way irreversible functions. A function has to be one-to-one and onto to be irreversible. In contrast, hash functions are many to one. That’s why, they are irreversible in theory. Calculating remainder of a division operation is a basic primitive hash function example. For instance, remainder is 1 when dividend is 7 and divisor is 3. This operation can be calculated easily. However, dividend cannot be calculated for known divisor and remainder. Because, there are infinite numbers whose remainder is 1 when it is divided by 3 (e.g. 7, 10, 13, …). This explains the irreversiblity. Of course, modern hash functions should not have collisions.

Today, MD5 collision resistance can be broken in 30 seconds with a smartphone. Recently, Google engineers announce first practical SHA-1 collision attack. So, the both MD5 and SHA-1 algorithms are considered to be insecure anymore. Now, SHA-256 and SHA-3 are still thought to be safe.

On the other hand, private and public keys complement each other in public key cryptography. A message, encrypted by public key, can be decrypted by only correlated private key. And vice versa. Generating private – public key pair process is fairly easy whereas extracting private key from known public key is quite hard. For example, RSA algorithms is based on finding prime numbers, multiplying them and getting a large number. Today’s computation power handles it easily. However, you need to find its factors to attack. That’s not a easy job.

Public and private keys complement each other in public key cryptography

Signing a document digitally such as mail or file requires following steps for sender and receiver.

Suppose that Alice sends Bob digitally signed mail.

Alice applies hash algorithm for content and retrieves hash value. Secondly, she uses her private key and encrypts hash value. This encrypted hash value is also called as signature or signed message. Finally, she sends both the content and signature to the Bob.

Bob applies same hash function for received content and he retrieves hash value, too. Then, he decrypts received signature with Alice’s public key (he knows Alice’s public key because it is public). Thus, he can compare decrypted signature and calculated hash. He would verify that content is unchanged if decryptred signature and hash of received content are same. Otherwise, he would be aware of invalidation.

Now, we would implement these instructions into a real world example. The following code block would be used by sender party. In our example, Alice consumes the following code block for sending mail to Bob.

Now, Bob can verify the attached signature. Thus, he ensures that the received mail really came from Alice.

Attached signature is equal to expected one

So, we’ve mentioned how to implement digital signature concept in practice. Also, we’ve implement it with out of the box JCE features. Digital signatures include two main cryptographic concepts: hash functions and public key cryptography algorithms. They provide to verify delivered content is unchanged or unmodified. Finally, source code of the project is shared on GitHub, you might want to clone it.